Solved

Basic VPN to Cisco ASA without authentication

Posted on 2009-05-06
4
1,324 Views
Last Modified: 2012-05-06
Could anyone help me? I'm vaguely familiar (but certainly no expert) with the PIX, but this is my first ASA, and it's giving me grief! I've got most of it working, but I'm stuck on the VPN. We use VPN to PIX to access small sites without further authentication -- just group name and password and connect. (I know it's not good for security, but for what we do it works well, and often we have no other option anyway.)
Anyway, I can't get it to work on the ASA, but could really do with it, urgently!
Below are what I think are the relevant code fragments...
Could anyone please point me in the right direction... Please don't say it isn't possible any more!!
Thanks.
PIX code that seems to do the trick; comments in brackets are the bits the ASA turned its nose up at:-:
 
crypto ipsec transform-set transet1 esp-des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
 
vpngroup lestac address-pool vpnpool (vpngroup depricated)
vpngroup lestac password secret (ditto)
vpngroup lestac dns-server yserver1 (ditto)
vpngroup lestac wins-server yserver1 (ditto)
vpngroup lestac default-domain harlow (ditto)
vpngroup lestac idle-time 1800 (ditto)
 
ASA "bits" I tried to use to replace the "depricated" PIX bits to get the same effect:-
tunnel-group lestac type ipsec-ra
tunnel-group lestac general-attributes
address-pool vpnpool
tunnel-group lestac ipsec-attributes
pre-shared-key secret
default-group-policy lestac
group-policy lestac attribues
wins-server value 192.168.60.10
dns-server value 192.168.60.10
default-domain value harlow.local
vpn-idle-timeout 1800
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec

Open in new window

0
Comment
Question by:seworby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 24319983
For an ASA remote access VPN, you need pieces, three of which can be named the same: a group-policy, a tunnel-group, and a username. Here's a very basic example for vendor access:

# Create an ACL for vendor access to any destination
access-list vendor_acl extended permit ip any any

# Create a group policy
group-policy vendor internal

# Define the acl this policy will use
group-policy vendor attributes
  vpn-filter value vendor_acl

# Create the user
username vendor password *****

# Define the group policy and acl to control this user
username vendor attributes
  vpn-group-policy vendor
  vpn-filter value vendor_acl

# Define a tunnel group - type for remote access is 'ipsec-ra'
tunnel-group vendor type ipsec-ra

# Define the group characteristics
tunnel-group vendor general-attributes
  default-group-policy vendor

# Define the group password
tunnel-group vendor ipsec-attributes
  pre-shared-key *****

There are lots of other keywords you can include; for example, you can add 'vpn-idle-timeout 15' to the group-policy section and have the VPN logout after 15 minutes of idle time, you can add 'vpn-framed-ip-address 192.168.1.10 255.255.255.0' under the username attributes to assign an IP address to that user, and so on. But this framework will get you started... for more info, check out this link:

http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/sitesite.html


0
 
LVL 10

Expert Comment

by:stsonline
ID: 24319997
Sorry about the typo... the first line should read "you need four pieces..."  - the three names and an ACL.
0
 

Author Comment

by:seworby
ID: 24322642
Thanks for your help on this. As you can see from my code, I've got most of this in place. I've got the access_list bits in place, too, but didn't quote them because it's just not getting that far. I can't get past the Cisco client asking for username and password. The only bit I haven't got is the vpn_filter value bit, but I don't think it's going to be that causing my problem?
Having spent some time reading up last night, I'm wondering if it's my AAA I've got wrong. I'll have access to the ASA in a couple of hours and I'll take another look.
I'll let you know how I get on.
Thanks
0
 

Accepted Solution

by:
seworby earned 0 total points
ID: 24325599
I have it working. Whether it's the right way or not is a different matter...
The key to it is to set up a user so it has a user in the database to allow the secondary authentication to authenticate against. It seems this isn't neceesary on the PIX but is on the ASA.
The vpn_filter value turned out in the end to be a bit of a red herring, as having it on prevent traffic from passing once connected.
---
username xzy password xyz123 privilege 2

Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question